diff --git a/charts/prometheus-grafana/Chart.yaml b/charts/prometheus-grafana/Chart.yaml index 7a10ae7..3fc6e5e 100644 --- a/charts/prometheus-grafana/Chart.yaml +++ b/charts/prometheus-grafana/Chart.yaml @@ -2,6 +2,6 @@ apiVersion: v2 name: prometheus-grafana-helm description: Prometheus and Grafana Helm Chart for Rahti platform Link to the repo https://github.com/CSCfi/helm-charts -version: 1.0.0 +version: 1.1.0 sources: - https://github.com/CSCfi/helm-charts diff --git a/charts/prometheus-grafana/README.md b/charts/prometheus-grafana/README.md index 9777a46..31f0f2e 100644 --- a/charts/prometheus-grafana/README.md +++ b/charts/prometheus-grafana/README.md @@ -11,6 +11,8 @@ If you want to use it with different values, you can edit `values.yaml` file and helm upgrade --install graf-prom . -f {custom_values.yaml} ``` +The password to access Grafana WebUI is generated randomly and won't change if you upgrade your chart. + ## Parameters ### HedgeDoc parameters @@ -18,29 +20,28 @@ helm upgrade --install graf-prom . -f {custom_values.yaml} | Name | Description | Value | | ---------------------------------------------------- | ------------------------------------------------------- | --------------------------------- | | `prometheus.appName` | Name of your app. | `prometheus` | -| `prometheus.image` | Name of the `prometheus` image | `prom/prometheus:v2.45.2` | +| `prometheus.image` | Name of the `prometheus` image | `prom/prometheus:v2.50.1` | | `prometheus.retentionTime` | Define how long data is kept in time-series database | `15d` | | `prometheus.limits.memory` | Define the maximum of amount of memory | `4Gi` | | `prometheus.requests.memory` | Define the minimum guaranteed amount of memory | `4Gi` | -| `prometheus.secret.user` | Name of the user to connect to prometheus webUI | `admin` | | `prometheus.pvc.storageSize` | Define the size of the Persistent Volume Claim | `5Gi` | | `prometheus.service.type` | Define the service type | `ClusterIP` | -| `prometheus.route.tls.termination` | Create an OpenShift route | `edge` | -| `prometheus.route.tls.insecureEdgeTerminationPolicy` | Create an OpenShift route | `Redirect` | ### Grafana parameters -| Name | Description | Value | -| ---------------------------------------------------- | ------------------------------------------------------- | --------------------------------- | -| `grafana.appName` | Name of your app. | `grafana` | -| `grafana.image` | Name of the `prometheus` image | `grafana/grafana:9.5.15` | -| `grafana.limits.memory` | Define the maximum of amount of memory | `1Gi` | -| `grafana.requests.memory` | Define the minimum guaranteed amount of memory | `1Gi` | -| `grafana.secret.adminUsername` | Name of the user to connect to prometheus webUI | `admin` | -| `grafana.pvc.storageSize` | Define the size of the Persistent Volume Claim | `5Gi` | -| `grafana.service.type` | Define the service type | `ClusterIP` | -| `grafana.route.tls.termination` | Create an OpenShift route | `edge` | -| `grafana.route.tls.insecureEdgeTerminationPolicy` | Create an OpenShift route | `Redirect` | +| Name | Description | Value | +| ---------------------------------------------------- | ------------------------------------------------------- | ------------------------------------------ | +| `grafana.appName` | Name of your app. | `grafana` | +| `grafana.image` | Name of the `prometheus` image | `grafana/grafana:10.2.4` | +| `grafana.limits.memory` | Define the maximum of amount of memory | `1Gi` | +| `grafana.requests.memory` | Define the minimum guaranteed amount of memory | `1Gi` | +| `grafana.random_pw_secret_key` | Key to store the password | `admin-password` | +| `grafana.secret.admin-username` | Name of the user to connect to prometheus webUI | `admin` | +| `grafana.secret.admin-password` | Function that retrieve the generated password | `'{{- include "random_pw_reusable" . - }}` | +| `grafana.service.type` | Define the service type | `ClusterIP` | +| `grafana.route.tls.termination` | Create an OpenShift route | `edge` | +| `grafana.route.tls.insecureEdgeTerminationPolicy` | Create an OpenShift route | `Redirect` | +| `grafana.pvc.storageSize` | Define the size of the Persistent Volume Claim | `5Gi` | ## Cleanup To delete all the resources, simply uninstall the Helm Chart: diff --git a/charts/prometheus-grafana/templates/NOTES.txt b/charts/prometheus-grafana/templates/NOTES.txt index 8a91390..f791b65 100644 --- a/charts/prometheus-grafana/templates/NOTES.txt +++ b/charts/prometheus-grafana/templates/NOTES.txt @@ -1,21 +1,7 @@ ======================================= CSC Prometheus-Grafana Helm deployed ======================================= -PROMETHEUS: -Get the Prometheus application URL by running these commands: - export PROMETHEUS=$(oc get route --namespace={{ .Release.Namespace }} -o yaml | yq '.items[] | select(.metadata.name == "{{ .Values.prometheus.appName }}-route") .spec.host' -r) - echo "PROMETHEUS server URL: http://$PROMETHEUS" - -The password for the access is generated randomly. -To retrieve the information, run these commands: - - echo Username: $(oc get secret --namespace={{ .Release.Namespace }} {{ .Values.prometheus.appName }}-nginx-secret -o jsonpath="{.data.user}" | base64 -d) - echo Password: $(oc get secret --namespace={{ .Release.Namespace }} {{ .Values.prometheus.appName }}-nginx-secret -o jsonpath="{.data.pass}" | base64 -d) - ------------------ - -GRAFANA: Get the Grafana application URL by running these commands: export GRAFANA=$(oc get route --namespace={{ .Release.Namespace }} -o yaml | yq '.items[] | select(.metadata.name == "{{ .Values.grafana.appName }}-route") .spec.host' -r) @@ -24,5 +10,14 @@ Get the Grafana application URL by running these commands: The password for the access is generated randomly. To retrieve the information, run these commands: - echo Username: $(oc get secret --namespace={{ .Release.Namespace }} {{ .Values.grafana.appName }}-secret -o jsonpath="{.data.admin-username}" | base64 -d) - echo Password: $(oc get secret --namespace={{ .Release.Namespace }} {{ .Values.grafana.appName }}-secret -o jsonpath="{.data.admin-password}" | base64 -d) \ No newline at end of file + echo Username: $(oc get secret --namespace={{ .Release.Namespace }} {{ .Values.grafana.appName }} -o jsonpath="{.data.admin-username}" | base64 -d) + echo Password: $(oc get secret --namespace={{ .Release.Namespace }} {{ .Values.grafana.appName }} -o jsonpath="{.data.admin-password}" | base64 -d) + +The Route to Prometheus is not deployed by default. If you want to access Prometheus, you can type this command: + + oc create route edge prometheus-route --service={{ .Values.prometheus.appName }}-service --insecure-policy='Redirect' --port=9090 + +And then, you can retrieve the Prometheus URL by running these commands: + + export PROMETHEUS=$(oc get route --namespace={{ .Release.Namespace }} -o yaml | yq '.items[] | select(.metadata.name == "{{ .Values.prometheus.appName }}-route") .spec.host' -r) + echo "PROMETHEUS server URL: http://$PROMETHEUS" \ No newline at end of file diff --git a/charts/prometheus-grafana/templates/_helpers.tpl b/charts/prometheus-grafana/templates/_helpers.tpl index 9304f98..61a6671 100644 --- a/charts/prometheus-grafana/templates/_helpers.tpl +++ b/charts/prometheus-grafana/templates/_helpers.tpl @@ -51,45 +51,36 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* -Create the name of the service account to use +Define a function that generate static password */}} -{{- define "prometheus-grafana.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "prometheus-grafana.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} +{{- define "generate_static_password" -}} +{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}} +{{- if not (index .Release "tmp_vars") -}} +{{- $_ := set .Release "tmp_vars" dict -}} +{{- end -}} +{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}} +{{- $key := printf "%s_%s" .Release.Name "password" -}} +{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}} +{{- if not (index .Release.tmp_vars $key) -}} +{{- /* ... store random password under the $key */ -}} +{{- $_ := set .Release.tmp_vars $key (randAlphaNum 20) -}} +{{- end -}} +{{- /* Retrieve previously generated value. */ -}} +{{- index .Release.tmp_vars $key -}} +{{- end -}} -{{/* -Generate prometheus secret password -*/}} -{{- define "prometheus.secretPassword" -}} -pass: {{ randAlphaNum 16 | quote }} -{{- end }} - -{{/* -Generate grafana secret password +{{/* +Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password. */}} -{{- define "grafana.secretPassword" -}} -admin-password: {{ randAlphaNum 16 | quote }} -{{- end }} - -# {{/* -# Generate prometheus static password for multiple use -# */}} -# {{- define "prometheus.staticPassword" -}} -# {{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}} -# {{- if not (index .Release "tmp_vars") -}} -# {{- $_ := set .Release "tmp_vars" dict -}} -# {{- end -}} -# {{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}} -# {{- $key := printf "%s_%s" .Release.Name "password" -}} -# {{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}} -# {{- if not (index .Release.tmp_vars $key) -}} -# {{- /* ... store random password under the $key */ -}} -# {{- $_ := set .Release.tmp_vars $key (randAlphaNum 16 | quote ) -}} -# {{- end -}} -# {{- /* Retrieve previously generated value. */ -}} -# {{- index .Release.tmp_vars $key -}} -# {{- end -}} \ No newline at end of file +{{- define "random_pw_reusable" -}} + {{- if .Release.IsUpgrade -}} + {{- $data := default dict (lookup "v1" "Secret" .Release.Namespace .Values.grafana.appName).data -}} + {{- if $data -}} + {{- index $data .Values.grafana.random_pw_secret_key | b64dec -}} + {{- end -}} + {{- else -}} + {{- if and (required "You must pass .Values.grafana.appName (the name of a secret to retrieve password from on upgrade)" .Values.grafana.appName) (required "You must pass .Values.grafana.random_pw_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.grafana.random_pw_secret_key) -}} + {{- (include "generate_static_password" .) -}} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/prometheus-grafana/templates/grafana/configmap.yaml b/charts/prometheus-grafana/templates/grafana/configmap.yaml index 9384528..295947d 100644 --- a/charts/prometheus-grafana/templates/grafana/configmap.yaml +++ b/charts/prometheus-grafana/templates/grafana/configmap.yaml @@ -7,7 +7,7 @@ data: [paths] data = /var/lib/grafana plugins = /var/lib/grafana/plugins - provisioning = /etc/grafana/provisioning + provisioning = /usr/share/grafana/conf/provisioning [log] mode = console @@ -23,11 +23,7 @@ data: type: prometheus access: proxy org_id: 1 - url: http://prometheus-service:9091 + url: http://prometheus-service:9090 is_default: true version: 1 editable: true - basicAuth: true - basicAuthUser: ${BASIC_AUTH_USER} - secureJsonData: - basicAuthPassword: ${BASIC_AUTH_PASS} \ No newline at end of file diff --git a/charts/prometheus-grafana/templates/grafana/deployment.yaml b/charts/prometheus-grafana/templates/grafana/deployment.yaml index c0ce798..18e12c4 100644 --- a/charts/prometheus-grafana/templates/grafana/deployment.yaml +++ b/charts/prometheus-grafana/templates/grafana/deployment.yaml @@ -26,22 +26,12 @@ spec: valueFrom: secretKeyRef: key: admin-username - name: grafana-secret + name: {{ .Values.grafana.appName }} - name: ADMIN_PASSWORD valueFrom: secretKeyRef: key: admin-password - name: grafana-secret - - name: BASIC_AUTH_USER - valueFrom: - secretKeyRef: - key: user - name: prometheus-nginx-secret - - name: BASIC_AUTH_PASS - valueFrom: - secretKeyRef: - key: pass - name: prometheus-nginx-secret + name: {{ .Values.grafana.appName }} args: - '--homepath=/usr/share/grafana' - '--config=/etc/grafana/grafana.ini' diff --git a/charts/prometheus-grafana/templates/grafana/secret.yaml b/charts/prometheus-grafana/templates/grafana/secret.yaml index e37e9f3..5b23d60 100644 --- a/charts/prometheus-grafana/templates/grafana/secret.yaml +++ b/charts/prometheus-grafana/templates/grafana/secret.yaml @@ -1,8 +1,11 @@ apiVersion: v1 kind: Secret metadata: - name: {{ .Values.grafana.appName }}-secret + name: {{ .Values.grafana.appName }} type: Opaque -stringData: - admin-username: {{ .Values.grafana.secret.adminUsername }} - {{- include "grafana.secretPassword" . | nindent 2 }} \ No newline at end of file +{{- if .Values.grafana.secret}} +data: + {{- range $key, $val := .Values.grafana.secret }} + "{{ $key }}": "{{ tpl $val $ | b64enc }}" + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/prometheus-grafana/templates/prometheus/configmap-nginx.yaml b/charts/prometheus-grafana/templates/prometheus/configmap-nginx.yaml deleted file mode 100644 index 8b0a58f..0000000 --- a/charts/prometheus-grafana/templates/prometheus/configmap-nginx.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Values.prometheus.appName }}-nginx-config -data: - nginx.conf: |- - http { - server { - listen 9091; - location / { - auth_basic "Prometheus"; - auth_basic_user_file /etc/nginx/secrets/passwd; - proxy_pass http://localhost:9090/; - } - } - } - events {} \ No newline at end of file diff --git a/charts/prometheus-grafana/templates/prometheus/deployment.yaml b/charts/prometheus-grafana/templates/prometheus/deployment.yaml index a0377b3..f61914d 100644 --- a/charts/prometheus-grafana/templates/prometheus/deployment.yaml +++ b/charts/prometheus-grafana/templates/prometheus/deployment.yaml @@ -17,26 +17,6 @@ spec: spec: serviceAccount: {{ .Values.prometheus.appName }}-sa serviceAccountName: {{ .Values.prometheus.appName }}-sa - initContainers: - - image: docker-registry.rahti.csc.fi/da-images/alpine-htpasswd:latest - env: - - name: USER - valueFrom: - secretKeyRef: - key: user - name: {{ .Values.prometheus.appName }}-nginx-secret - - name: PASS - valueFrom: - secretKeyRef: - key: pass - name: {{ .Values.prometheus.appName }}-nginx-secret - command: ["/bin/sh","-c","htpasswd -bc /tmp/secret-file/passwd $USER $PASS"] - name: htpasswd-generator - volumeMounts: - - name: {{ .Values.prometheus.appName }}-htpasswd-tmp - mountPath: "/tmp/secret-file" - - name: {{ .Values.prometheus.appName }}-nginx-secret - mountPath: "/tmp/secret-env" containers: - name: {{ .Values.prometheus.appName }} args: @@ -59,23 +39,6 @@ spec: name: {{ .Values.prometheus.appName }}-config - mountPath: /data name: {{ .Values.prometheus.appName }}-data - - name: nginx - image: cscfi/nginx-okd - imagePullPolicy: Always - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 300m - memory: 512Mi - ports: - - containerPort: 9091 - volumeMounts: - - name: {{ .Values.prometheus.appName }}-nginx-config - mountPath: /etc/nginx - - name: {{ .Values.prometheus.appName }}-htpasswd-tmp - mountPath: /etc/nginx/secrets restartPolicy: Always volumes: - name: {{ .Values.prometheus.appName }}-config @@ -85,11 +48,4 @@ spec: - name: {{ .Values.prometheus.appName }}-data persistentVolumeClaim: claimName: {{ .Values.prometheus.appName }}-data - - name: {{ .Values.prometheus.appName }}-nginx-secret - secret: - secretName: {{ .Values.prometheus.appName }}-nginx-secret - - name: {{ .Values.prometheus.appName }}-htpasswd-tmp - emptyDir: {} - - name: {{ .Values.prometheus.appName }}-nginx-config - configMap: - name: {{ .Values.prometheus.appName }}-nginx-config \ No newline at end of file + \ No newline at end of file diff --git a/charts/prometheus-grafana/templates/prometheus/route.yaml b/charts/prometheus-grafana/templates/prometheus/route.yaml deleted file mode 100644 index 20a9a64..0000000 --- a/charts/prometheus-grafana/templates/prometheus/route.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: {{ .Values.prometheus.appName }}-route -spec: - port: - targetPort: 9091 - to: - kind: Service - name: {{ .Values.prometheus.appName }}-service - tls: - termination: {{ .Values.prometheus.route.tls.termination }} - insecureEdgeTerminationPolicy: {{ .Values.prometheus.route.tls.insecureEdgeTerminationPolicy }} \ No newline at end of file diff --git a/charts/prometheus-grafana/templates/prometheus/secret.yaml b/charts/prometheus-grafana/templates/prometheus/secret.yaml deleted file mode 100644 index 9c5dc48..0000000 --- a/charts/prometheus-grafana/templates/prometheus/secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.prometheus.appName }}-nginx-secret -type: Opaque -stringData: - user: {{ .Values.prometheus.secret.user }} - {{- include "prometheus.secretPassword" . | nindent 2 }} \ No newline at end of file diff --git a/charts/prometheus-grafana/templates/prometheus/service.yaml b/charts/prometheus-grafana/templates/prometheus/service.yaml index b52d7c2..bba3efe 100644 --- a/charts/prometheus-grafana/templates/prometheus/service.yaml +++ b/charts/prometheus-grafana/templates/prometheus/service.yaml @@ -4,8 +4,8 @@ metadata: name: {{ .Values.prometheus.appName }}-service spec: ports: - - port: 9091 - targetPort: 9091 + - port: 9090 + targetPort: 9090 selector: app: {{ .Values.prometheus.appName }} type: {{ .Values.prometheus.service.type }} \ No newline at end of file diff --git a/charts/prometheus-grafana/values.yaml b/charts/prometheus-grafana/values.yaml index 143ff82..7d3ca6b 100644 --- a/charts/prometheus-grafana/values.yaml +++ b/charts/prometheus-grafana/values.yaml @@ -1,6 +1,6 @@ prometheus: appName: prometheus - image: prom/prometheus:v2.45.2 + image: prom/prometheus:v2.50.1 retentionTime: 15d limits: @@ -8,31 +8,25 @@ prometheus: requests: memory: 4Gi - secret: - user: admin - pvc: storageSize: 5Gi service: type: ClusterIP - route: - tls: - termination: edge - insecureEdgeTerminationPolicy: Redirect - grafana: appName: grafana - image: grafana/grafana:9.5.15 + image: grafana/grafana:10.2.4 limits: memory: 1Gi requests: memory: 1Gi + random_pw_secret_key: admin-password secret: - adminUsername: admin + admin-username: admin + admin-password: '{{- include "random_pw_reusable" . -}}' pvc: storageSize: 5Gi